Well, the results of this do not show a mismatch in SMB signing settings.
Perhaps the problem is actually a name DFS referal problem for accessing
sysvol.
Please verify the DFS service is running on all domain controllers.
Also, as a workaround, you can setup GPMC as your group policy managemtn
interface.
This allows you to edit a GPO by focusing on any domain controller you
choose.
--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security
Sorry for such a dumb question. I was expecting to be able to copy to
..reg
file in here.
From the W2K workstation:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\para
meters]
"enableplaintextpassword"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00
From the W2K workstation:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter
s]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f
,\
00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\
45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\
00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\
54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\
00,6b,00,53,00,76,00,72,00,00,00,00,00
"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,4
6,\
00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:09,78,09,15,09,40,35,4b,ac,ed,78,3e,da,a3,8f,7c
"CachedOpenLimit"=dword:00000000
=======
From the PDC (upgrade from W2K to W2K3):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\para
meters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f
,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
77,00,6b,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
From the PDC:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter
s]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000001
"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f
,\
00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\
45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\
00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\
54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\
00,6b,00,53,00,76,00,72,00,00,00,43,00,45,00,52,00,54,00,00,00,48,00,79,00,\
64,00,72,00,61,00,4c,00,73,00,50,00,69,00,70,00,65,00,00,00,54,00,65,00,72,\
00,6d,00,53,00,65,00,72,00,76,00,4c,00,69,00,63,00,65,00,6e,00,73,00,69,00,\
6e,00,67,00,00,00,54,00,4d,00,52,00,50,00,43,00,5c,00,53,00,50,00,4e,00,54,\
00,53,00,56,00,43,00,00,00,54,00,4d,00,52,00,50,00,43,00,5c,00,53,00,74,00,\
57,00,61,00,74,00,63,00,68,00,44,00,6f,00,67,00,00,00,00,00
"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,4
6,\
00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000003
"Guid"=hex:bb,ef,94,6d,76,58,e2,40,aa,43,ed,fa,4d,1c,73,f4
"restrictnullsessaccess"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f
,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,72,00,76,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
:
Just open the .reg file into notepad and cut and paste the contents.
--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security
Yes, I can create and edit GPOs from the PDC. I have mixed results
when
creating and editing from others. When I created an edited from an
upgraded
domain controller, at one point I received this error message when
opening
Group Policy Management: The Enterprise Domain Controllers group must
have
read access on all GPOs in the domain in order for Group Policy
Modeling
to
function properly. I can't even find that group to add it. However,
when
I
tried to create and edit a GPO on this same domain controller I
received
the
same error message as in my original post. On the PDC (which was
upgraded
to
W2K3) and a DC that was a fresh install I was able to create and edit
a
GPO
with no problem.
Initially I was trying to create and edit the policy from a Windows
2000
Workstation with Service Pack 4, and also from a W2K workstation with
SP3.
Below are the registry exports you requested. The first two are from
the
workstation and the second two from the PDC.
Well -- I did the export, but can't figure out how to paste them in
here
(sorry, I've not used this forum much).
:
You can continue to administer GPO from W2K after you upgrade some
or
all
DCs to W2K3.
There are many reasons for this error.
Can you create and edit GPOs from the PDC itself.
Can you create and edit GPOs from other W2K3 DCs?
Does it only fail from a W2K system?
Is the W2K system a DC or a member server/workstation?
I bet you are seeing a mismatch with SMB signing requirements.
export HKLM\system\CCS\services\lanmanserver\parameters &
lanmanworkstation\parameters from both the PDC and your W2K
management
station.
Paste into this thread identifying which is which.
We can see from this if there is a mismatch in the signing
requirements.
--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security
Can you create and edit a new group policy using the Windows 2000
snap-in
after upgrading your PDC and other domain controllers to Windows
Server
2003,
Standard Edition? When I try this it lets me add a new one, but
when
I
click
Edit I get an error message: Failed to open the Group Policy
Object.
You
may not have appropriate rights. Details: The system cannot find
the
path
specified. It's looking for the file on the PDC, which is located
in
a
different site. Prior to upgrading to 2003 the PDC was in the
same
site I
am
in. I am a domain administrator. Things appear to be working
correctly
using the GPMC. Any help would be appreciated.
